If you believe what the likes of LG and Samsung have been promoting this week at CES, everything will soon be smart. We'll be able to send messages to our washing machines, run apps on our fridges, and have TVs as powerful as computers. It may be too late to resist this movement, with smart TVs already firmly entrenched in the mid-to-high end market, but resist it we should. That's because the "Internet of things" stands a really good chance of turning into the "Internet of unmaintained, insecure, and dangerously hackable things."

These devices will inevitably be abandoned by their manufacturers, and the result will be lots of "smart" functionality—fridges that know what we buy and when, TVs that know what shows we watch—all connected to the Internet 24/7, all completely insecure.

While the value of smart watches or washing machines isn't entirely clear, at least some smart devices—I think most notably phones and TVs—make sense. The utility of the smartphone, an Internet-connected computer that fits in your pocket, is obvious. The growth of streaming media services means that your antenna or cable box are no longer the sole source of televisual programming, so TVs that can directly use these streaming services similarly have some appeal.

But these smart features make the devices substantially more complex. Your smart TV is not really a TV so much as an all-in-one computer that runs Android, WebOS, or some custom operating system of the manufacturer's invention. And where once it was purely a device for receiving data over a coax cable, it's now equipped with bidirectional networking interfaces, exposing the Internet to the TV and the TV to the Internet.

The result is a whole lot of exposure to security problems. Even if we assume that these devices ship with no known flaws—a questionable assumption in and of itself if SOHO routers are anything to judge by—a few months or years down the line, that will no longer be the case. Flaws and insecurities will be uncovered, and the software components of these smart devices will need to be updated to address those problems. They'll need these updates for the lifetime of the device, too. Old software is routinely vulnerable to newly discovered flaws, so there's no point in any reasonable timeframe at which it's OK to stop updating the software.

Further Reading

In addition to security, there's also a question of utility. Netflix and Hulu may be hot today, but that may not be the case in five years' time. New services will arrive; old ones will die out. Even if the service lineup remains the same, its underlying technology is unlikely to be static. In the future, Netflix, for example, might want to deprecate old APIs and replace them with new ones; Netflix apps will need to be updated to accommodate the changes. I can envision changes such as replacing the H.264 codec with H.265 (for reduced bandwidth and/or improved picture quality), which would similarly require updated software.

To remain useful, app platforms need up-to-date apps. As such, for your smart device to remain safe, secure, and valuable, it needs a lifetime of software fixes and updates.

A history of non-existent updates

Herein lies the problem, because if there's one thing that companies like Samsung have demonstrated in the past, it's a total unwillingness to provide a lifetime of software fixes and updates. Even smartphones, which are generally assumed to have a two-year lifecycle (with replacements driven by cheap or "free" contract-subsidized pricing), rarely receive updates for the full two years (Apple's iPhone being the one notable exception).

A typical smartphone bought today will remain useful and usable for at least three years, but its system software support will tend to dry up after just 18 months.

This isn't surprising, of course. Samsung doesn't make any money from making your two-year-old phone better. Samsung makes its money when you buy a new Samsung phone. Improving the old phones with software updates would cost money, and that tends to limit sales of new phones. For Samsung, it's lose-lose.

Our fridges, cars, and TVs are not even on a two-year replacement cycle. Even if you do replace your TV after it's a couple years old, you probably won't throw the old one away. It will just migrate from the living room to the master bedroom, and then from the master bedroom to the kids' room. Likewise, it's rare that a three-year-old car is simply consigned to the scrap heap. It's given away or sold off for a second, third, or fourth "life" as someone else's primary vehicle. Your fridge and washing machine will probably be kept until they blow up or you move houses.

LG is using the ill-fated WebOS to power its smart TVs. Eventual abandonment is WebOS's inevitable fate.

These are all durable goods, kept for the long term without any equivalent to the smartphone carrier subsidy to promote premature replacement. If they're going to be smart, software-powered devices, they're going to need software lifecycles that are appropriate to their longevity.

That costs money, it requires a commitment to providing support, and it does little or nothing to promote sales of the latest and greatest devices. In the software world, there are companies that provide this level of support—the Microsofts and IBMs of the world—but it tends to be restricted to companies that have at least one eye on the enterprise market. In the consumer space, you're doing well if you're getting updates and support five years down the line. Consumer software fixes a decade later are rare, especially if there's no system of subscriptions or other recurring payments to monetize the updates.

Of course, the companies building all these products have the perfect solution. Just replace all our stuff every 18-24 months. Fridge no longer getting updated? Not a problem. Just chuck out the still perfectly good fridge you have and buy a new one. This is, after all, the model that they already depend on for smartphones. Of course, it's not really appropriate even to smartphones (a mid/high-end phone bought today will be just fine in three years), much less to stuff that will work well for 10 years.

These devices will be abandoned by their manufacturers, and it's inevitable that they are abandoned long before they cease to be useful.

Superficially, this might seem to be no big deal. Sure, your TV might be insecure, but your NAT router will probably provide adequate protection, and while it wouldn't be tremendously surprising to find that it has some passwords for online services or other personal information on it, TVs are sufficiently diverse that people are unlikely to expend too much effort targeting specific models.

Bringing planned obsolescence to our durable goods

But I think the issue is more significant than it might seem. First, I don't think this kind of enforced, premature obsolescence is good for anyone other than hardware companies. Replacing an otherwise perfectly good TV ahead of time just because its Netflix app is stale and no longer maintained is a reprehensible waste of resources. I would like to think that most people would recognize the wastefulness this represents and wouldn't ditch their TV just because its built-in Netflix app is out of date. But I'm confident that such thoughts have entered the minds of TV company executives, and they're hoping people do precisely that. You'll have a TV that works well for a year or two and then gets worse. If you sell TVs, that's good news.

Second, not all devices are as trivial as TVs. Cars are increasingly computerized. They're also really insecure in ways that unambiguously compromise safety. Smart cars (as distinct from oh so cute Smart cars), boasting their own Internet connections and rich software platforms, are only going to make this worse. Worse, it doesn't seem that car companies take softwaresecurityseriously.

So if you want to participate in the Internet of things, your choice will be to send your perfectly good car to the crusher or let any bored hacker disable your brakes, probably by sending you a text message or something equally insane. The sensible option? Don't participate in the Internet of things. Take out the SIM, turn off the Bluetooth. Use the perfectly good satnav app that your phone has.

I don't want to sound all Luddite here. I got a new TV recently, and it's a smart TV. It's pretty unavoidable if you want a mid-range or better set. I love the idea of all our things being connected to the Internet, of having our media follow us, available and accessible from whatever device we happen to be using (though this only goes so far; I cannot fathom the appeal of smart fridges or washing machines). But a world of hundreds of millions of connected devices, all ignored and abandoned by their manufacturers, is not a healthy one.

As such, there are only two ways in which smart devices make sense. Manufacturers either need to commit to a lifetime of updates, or the devices need to be very cheap so they can be replaced every couple years.

If manufacturers won't commit to providing a lifetime of updates—and again, the experience with smartphones is, I think, instructive here—then these smart devices are a liability. Avoiding them entirely is troublesome, but we can certainly avoid using them. Ignore the smarts built into your TV. Don't add your account details to the Netflix app, don't hook them up to your networks, don't show them when the TV boots. Don't stick a SIM into your smart car. Don't play the manufacturer's game.

Instead, use smarts elsewhere. For example, instead of using the smartness in your TV (such that upgrading the smarts means upgrading the entire TV too, pointlessly wasting the LCD), you leave the smarts in a small set-top box like a Roku or an Apple TV. That will give you your streaming media and rich connectivity, but it's in a box that's relatively disposable. Sure, even that box won't be supported forever (though I daresay it will be supported for longer than a smart TV), but replacing it means replacing a small $99 gadget—not a thousand bucks of flat panel.

236 Reader Comments

Normally I'm happy about having wired and networked things, but not with appliances. Mostly dumb has served us well, and I can't see much value in my oven running Android. OTOH, I can see a lot of issues with the same thing happening.

Samsung has a problem updating their phones and tablets to the most recent OS; do we need to worry about our fridge's OS, too?

Well my Samsung SmartTV seems to receive updates with annoying frequency, both for it's primary launcher and for each of the apps, like HBOGo and Netflix. The TV has an app store for god's sake. So in the future you might want to take into the whole ecosystem into consideration when it comes to things you didn't previously think depended on such an ecosystem. Couple of years ago "app" wasn't even a word, and now people are familiar with the idea of having to update apps on their phones, so there's no reason you can't spread that to other things.

These are all durable goods, kept for the long term without any equivalent to the smartphone carrier subsidy to promote premature replacement. If they're going to be smart, software-powered devices, they're going to need software lifecycles that are appropriate to their longevity.

That costs money, it requires a commitment to providing support, and it does little or nothing to promote sales of the latest and greatest devices.

This is a societal problem. These things are not produced with the aim of bettering one's life (that's a side effect), they are produced with the aim of separating you from your money.

Why would anyone even remotely familiar with computers and embedded systems think "gosh, you know what my kitchen needs? MORE SOFTWARE." I mean, shit, my fridge already has plenty of mechanical possible failure points, I see no reason at all to add viruses and software crashes to the list of things that could go catastrophically wrong. Ditto for literally every other appliance I own.

Agree 100%. Appliance manufacturers have been trying to sell the "smart" fridge / dishwasher / oven / clothes washer for a least a decade but it's largely a solution in search of a problem. Who actually needs their fridge to tell them it's empty? You just open the door and look which is probably something you do every morning anyway.

Add in built in obsolescence and it's hard to see why anybody would want to pay a premium for it?

Cynically, I've always considered this to be a form of accelerated obsolescence that is purely profit-driven. The security issues are a concern as well. If my experience with Motorola and cellphone OS updates is any indication, you might not even get one year worth of updates.

I wonder how willing manufacturers are to hiring and retaining a staff of software devs to both develop new code and maintain old code.

I'm actually still waiting for a carrier to be sued for loss related to a bug or vulnerability in a smart phone that was known and the fix was released by Microsoft (I believe they can skip one update) or Google.

On your home PC you are the admin and are responsible for keeping your PC up to date. On most cells the Vendor is the admin and is responsible for keeping the phone up to date. While there are probably clauses in your contract it might be interesting to see them tested in court against say a negligence claim.

It will likely be the same with smart appliances. Once a fire or two is caused by someone hacking a oven or dryer, Or a gas explosion.If the manufacture is in court and forced to say, we were notified of this vulnerability but decided not to fix it it might not be just a civil suit then.

You think LG's little phoning home problem is some kind of isolated incident? Every 'smart' appliance will be funneling sweet, sweet, consumer analytics back to the mothership as fast as it can, even before the bot-herders crack the pitifully outdated firmware.

Right after you tweet something about ghost pepper marathon and tag it with #yolo.

You know this does make me slightly sad for our future. We can (intelligently) trade insults with our furniture and appliances. Back when I was a kid (we had dinosaurs as recently as the mid '80s, apparently), we settled for insulting each other. Kids these days don't know how good they have it. Get off my lawn!

This is not new. We already have this problem with SCADA and security camera DVRs. But I guess people need to be reminded about the security implications of these things.

I was just rereading some rants about security, and found again Joanna Rutkowska's The three approaches to computer security. These three ways are: Correctness, Isolation, and Obscurity (encryption, randomization).

These Internet-connected Things clearly fail Correctness and Obscurity. I intend to use Isolation. I'll use my router's VLAN features to set up a network without any direct connection to the Internet, and interact with the device only through a limited, external gateway. That should make it more difficult for malware to reach the Thing, or for malware on the Thing to affect the rest of my network.

Couldn't they use a well-established OS like android to gain access to its app ecosystem, or does Google only allow Android (or its google play store) to be used for things like handsets?

I still don't really see a point in smart devices, but if they become mainstream/common, I hope that it doesn't create yet another platform for developers to maintain.

I am pretty sure that Google lets you use Android for basically anything you want, but may restrict access to the Play Store if you don't meet their specifications (see Amazon's Kindle Fire series of tablets).

With that said...what apps do you really want on your appliances? Do you really need Star Wars Angry Birds on your toaster? I know recipe apps can be very helpful in the kitchen but even for that case I'd prefer having them on a tablet I can carry around with me while I work. Past that I can't think of a use case that makes it worthwhile.

You could imagine a nice modular approach for smart durable goods where the equivalent of a BIOS is baked into the object itself and everything else sits in a module that plugs in or talks usb or bluetooth or whatever ( which would at least be a step up from IR blasters and having to have a second remote just to turn your TV on and change the volume). But that wouldn't be maximally profitable in the short term or exclude enough 3d-party addons for most manufacturers.

There are the privacy issues (at least we have community rating so insurance companies don't care about our detailed eating habits), but for lots of appliance, as with cars, there are also serious safety issues. You really don't want your stove turning on full blast when you click on a spearphishing link from your phone, or your refrigerator deciding that it's OK to turn off during the day while you're away.

No doubt manufacturers will work these issues out after a few generations of early adopters have served as paying beta testers....

I'd rather see devices like fridges have something akin to SNMP and then have some "box" in my house able to talk to all of them and do things like warn me when the fridge temp is not within range, the stove has been on for >4 hours, the battery in my smoke alarm is low, etc.

Even better than the Rokus or the Apple TVs of the world would be devices like the Chromecast, which are extremely cheap and avoid the problem of yet one more storage bucket for your media, set of logins for your services, and extra remotes sitting around. Not that there isn't a place for set top boxes, of course, but if you want a screen on your refrigerator, I'd rather have a small HDMI device for streaming rather than needing to plug in my Twitter or Netflix login again to an Apple TV.

Of course, I can't imagine a scenario where I want a screen on my refrigerator. But if you must, just provide a screen and an input source, and then the source of your smarts becomes modular. Hopefully that allows Samsung to still make their money by selling the 'fridge pre-populated with some electronics, but also lets a user have some choice and replacement options.

I grew up with technology. I work in IT and am immersed in it all day. I love my tablet and my smartphone and my Chromecast and a hundred other gadgets. But I have a lot of trouble getting excited about smart appliances - I just don't see a compelling use case. What do I do with my internet connected washer? Get an email notification when it's done? Is that really so wonderful? I punch in my cheese purchase date so I'm notified when it's bad? Why does that have to be on my refrigerator - why is it better than my phone?

I must be one of those rare people who actually wants a smart home. For decades smart homes were promised to us in various tech mags and whatnot, but he reality usually included a prohibitively expensive centralized computer and wiring setup, and even still none of that included a convenient way to access those functions while away from your home. That is, until now. I don't want to tweet from my fridge. What I do want, is the ability to check what's in my fridge from my phone while i'm out in the grocery store to see if there's something I need.

I do agree that security is a huge, huge issue, and one that needs to be addressed. But I really don't see how resisting the "internet of things" is the longterm solution. The way technology seems to be trending, this is an inevitability, not a could be.

So instead of resisting, how do we force these companies to take security and privacy seriously?

smart laundry machines make sense for college dorms and large apartment complexes with shared laundry rooms where the residents want to see if there's any available without having to physically go and look, but I don't get why anyone would want that in a private house.

want to be alerted when your laundry is done? set an alarm on your phone for 45 minutes when you put stuff in the washer, then set another one for an hour when you move it to the dryer.

You think LG's little phoning home problem is some kind of isolated incident? Every 'smart' appliance will be funneling sweet, sweet, consumer analytics back to the mothership as fast as it can, even before the bot-herders crack the pitifully outdated firmware.

What you call malice they call opportunity! But yeah. There's almost no conceivable way a company is going to pass of scraping all that data. Hell, I doubt their shareholders would even let them not collect it and sell it on.

In the software world, there are companies that provide this level of support—the Microsofts and IBMs of the world—but it tends to be restricted to companies that have at least one eye on the enterprise market.

You might be a tad too pessimistic on this front.First of all, there is the recently established AllSeen alliance, which has some major players as members. Something that is good to see this early, since it will probably help common standards which eases maintenance.

Second, there is Technicolor, which is mostly a software company these days and not exactly a small one at that. They seem to be developing an API for the IoT named Qeo and for now, at least the marketing talk does not forget to mention security.And last week they announced Virdata, which seems to be a cloud stack for managing and analysing M2M data. One of the partners there is actually IBM.

And there will probably be others as well. Not that any of this guarantees a secure future, but the development is certainly not left over to hardware-first companies only as you seem to fear.

In the software world, there are companies that provide this level of support—the Microsofts and IBMs of the world—but it tends to be restricted to companies that have at least one eye on the enterprise market.

You might be a tad too pessimistic on this front.First of all, there is the recently established AllSeen alliance, which has some major players as members. Something that is good to see this early, since it will probably help common standards which eases maintenance.

Second, there is Technicolor, which is mostly a software company these days and not exactly a small one at that. They seem to be developing an API for the IoT named Qeo and for now, at least the marketing talk does not forget to mention security.And last week they announced Virdata, which seems to be a cloud stack for managing and analysing M2M data. One of the partners there is actually IBM.

And there will probably be others as well. Not that any of this guarantees a secure future, but the development is certainly not left over to hardware-first companies only as you seem to fear.

It isn't for Android, either, but we don't see the hardware companies deploying Google's updates.

I get the whole TV needing updating for apps that interact with the wild world of the internet. But something like a Smart Washing Machine need only send a message when its done or be able to respond to a message to start. There is no reason to believe that will ever have to change. Hell even if you buy a smart washing machine and 2 days later the world shifts from SMS to some quantum messaging you will most likely still be able to get an app to send the SMS to your washing machine.

Well talking about washing machines is there a physical reason why we need both a washer and a dryer and can't just have 1 machine that can wash and dry cloths without intervention. a quick google search shows that you can get these no idea if they are good through.

Likewise I could see a sort of smart fridge that lets you see whats on each shelf either via a camera or other method so you could check to see if you have something when your not at home (ie at work attempting to figure out dinner). I can see a use case for most smart devices even if they are very limited. For instance I would love to be able to assign outlets in my house to rooms and control the whole room remotely including overhead lights. I know I could get part of the effect now with some of the "smart" lights that have come out recently but not entirely the same thing.